Google is warning Mac, Window and Linux users of a third zero-day flaw that has been found in Google Chrome. The use-after-free vulnerability which is in the Chrome browser is under active attack. If exploited, the flaw could allow remote code-execution and denial- of-service attacks on affected systems.
The vulnerability resides in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.
According to Google’s Friday security update, the Stable channel has been updated to 89.0.4389.90 for Windows, Mac and Linux which will roll out over the coming days/weeks.
The flaw (CVE-2021-21193) having a high severity has been ranked 8.8 out of 10 on the CVSS vulnerability-rating scale. The vulnerability relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
According to an IBM X-Force vulnerability report, the flaw could allow a remote attacker to execute arbitrary code on the system.
An attacker can persuade a victim to visit a specially crafted website and then exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system.
More details regarding the flaw are not disclosed at the moment until a majority of users are updated with a fix.
Google also issued four other security fixes on Friday.
In most cases, Chrome will update to its newest version automatically. The Chrome users can check if an update has been applied:
Go to chrome://settings/help by clicking Settings > About Chrome
If an update is available Chrome will notify users and then start the download process
Users can then relaunch the browser to complete the update.